Are your marketing campaigns unwittingly putting your business as risk?
“What’s PECR?” It continues to surprise me that some marketing and communications teams haven’t heard of the UK Privacy and Electronic Communications Regulations.
If GDPR is the flashy new kid on the block, poor old PECR is the untrendy oldie. That’s right, it’s been around since 2003 – a UK law derived from the EU ePrivacy Directive of 2002. (And as a UK law, yes it still applies post Brexit).
Yet when you look back at ICO action over the past few years, a fair bit concerns PECR violations – this wily old piece of legislation still has bite. So, it’s really worth knowing if what you are up to is legally sound or not.
PECR governs matters such as telemarketing and cookies, and also sets out specific rules sending marketing emails and SMS messages.
In short, you need to take into account both PECR to make sure your sending of emails is legal AND consider UK GDPR requirements for your processing of personal data.
I’ve taken a look here specifically at the rules for email marketing. It’s an area I often get questions about and it can cause some confusion.
(These also apply to SMS marketing and other ‘electronically stored’ messages – including picture or video messages, voicemail messages, in-app messages and personal messaging on social media).
Electronic marketing rules differ across European countries, and indeed the rest of the world. This can be a complex subject. So, I make no apologies for focussing on my own back yard, here in the UK.
When do you need consent for email marketing?
Under PECR you need to have consent to send email marketing to what are termed ‘individual subscribers’. These are people who personally subscribe to their email service provider.
But you don’t always need consent ….
Email marketing and the ‘soft-opt-in’
There’s an exemption from consent under PECR for email marketing to existing customers. This is commonly known as the ‘soft opt-in’. An awful term to my mind, but it does permit you to use an opt-out mechanism.
If you choose to rely on the ‘soft opt-in’ be careful to make sure you follow the rules about when this exemption applies:
- The contact details are collected during the course of a sale (or negotiations of a sale) of a product or service
- An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication.
- You only send marketing about your own similar products and services
Marketing emails to business contacts
The rules on consent and the soft opt-in under PECR do not apply to ‘corporate subscribers’. A corporate subscriber is where the organisation (as opposed to the individual) has subscribed to the email service. To quote the ICO on this, here’s an extract from their draft Direct Marketing Code of Practice:
“The PECR rules on marketing by electronic mail (e.g. email and text messages) do not apply to corporate subscribers. This means you can send B2B direct marketing emails or texts to any corporate body. However, you must still say who you are and give a valid address for the recipients to unsubscribe from your emails.”
However, you need to be mindful sole traders and some partnerships fall under the definition of ‘individual subscribers’.
This nuance has led some businesses, who know a signification proportion of their database might be sole traders or partnerships, to choose consent as their lawful basis, to be on the safe side.
Also, bear in mind that if a corporate email address includes people’s names, then you will be processing personal data and fall within the scope of UK GDPR.
What about UK GDPR?
Once you have the PECR rules straight, you need to also consider what’s necessary to comply with UK GDPR. For example, you should be transparent about your activities, fulfil the right to be informed, the right to object to direct marketing and so on.
You also need to identify a lawful basis for your marketing activities and meet the requirements of this lawful basis.
The ICO has been at pains to stress consent under PECR means meeting the specific requirements of consent under UK GDPR. One of the big changes under GDPR was the consent requirement became far stricter. It’s worth double-checking you’re meeting them.
If you choose not to rely on consent as your lawful basis under UK GDPR, your other option is legitimate interests.
There is a handy table in the ICO’s legitimate interests’ guidance under ‘Can we use legitimate interests for our marketing activities?‘, which sets out where consent is required and where legitimate interests may be appropriate.
It shouldn’t be a throwaway decision to rely on legitimate interests. GDPR requires you to carefully balance the legitimate interests of your business with the ‘rights and freedoms’ of the people you are going to market to.
You need to take care to make sure the rights of those whose data you’re collecting are not undermined by your choice to use legitimate interests. It’s strongly advised to complete a Legitimate Interests Assessment (known as a balancing test) and keep a record of this.
I wrote about this a while back: Legitimate Interests: It’s legit isn’t it?
Other areas to be mindful of
There are other pitfalls to avoid, such as not disguising a marketing message as a service message. You don’t need consent to send service messages by email for administrative or customer services purposes which contain only essential factual information for your customer. However, if these messages include any promotional content at all, for example an upsell or cross-sell message, they will be deemed to be direct marketing messages and PECR will apply.
Also, asking for permission to market by email, IS marketing too.
There’s also the area of ‘hosted’ emails. This is where you might use another organisation to promote your services to their database. This could cause a problem if you are judged to be the ‘instigator’ of these emails, and valid ‘named’ consent wasn’t collected.
These are all areas the ICO has taken action.
What about the EU’s forthcoming ePrivacy Regulation?
There are ongoing plans to replace the EU ePrivacy Directive (as said earlier, from which the UK’s PECR are derived) with a new EU ePrivacy Regulation.
A final version has proved challenging to reach agreement on, to make sure it is fit for purpose, aligns with GDPR and meets the requirements of technological developments.
We’ll have to see when the time comes whether the UK, outside of the EU, chooses to implement this into UK law.
On the face of it, email marketing rules might seem a minefield of terms; consent, soft opt-ins, opt-outs, legitimate interests, sole traders and corporate subscribers.
But once the rules are embedded into marketing teams’ heads and ways of working, it can make life easier and reduce the chances of unknowingly violating them.
Philippa Donn, February 2020
If you’d like our support and advice in making sure your marketing activities are on the right track, get in touch and Julia, Simon or Phil will arrange a convenient time for a chat. We also run specific marketing training workshops.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.